The Ex-Google Hacker Taking on the World’s Spy Agencies

Ariel Zambelich/WIRED

During his last six years working as an elite security researcher for Google, the hacker known as Morgan Mayhem spent his nights and weekends hunting down the malware used to spy on vulnerable targets like human rights activists and political dissidents.

His new job tasks him with defending a different endangered species: American national security journalists.

For the last month, 34-year-old Morgan Marquis-Boire has been the director of security for First Look Media, the media startup founded by eBay billionaire Pierre Omidyar that has recruited journalists Glenn Greenwald and Laura Poitras.1 The website has become the most prolific publisher of NSA leaker Edward Snowden’s remaining secrets. Marquis-Boire’s daunting task is to safeguard those documents, and the communications of reporters who have perhaps the press’ most adversarial relationships with Western intelligence agencies.

Beyond protecting Snowden’s favorite journalists, Marquis-Boire sees his decision to leave Google for First Look as a chance to focus full-time on the problem of protecting reporters and activists as a whole, groups he sees as some of the most sensitive targets for governments globally. “I look at the risk posed to individuals in the real world,” says Marquis-Boire, an imposing, often black-clad New Zealander with earrings, dreadlocks, and a taste for death metal. “In human rights and journalism, the consequences of communications being compromised are imprisonment, physical violence, and even death. These types of users need security assistance in a very real sense.”

In the detective work required to pin those stealthy spying incidents on repressive governments and Western companies, Marquis-Boire is “extraordinarily talented,” says Ron Deibert, a professor of political science at the University of Toronto and Citizen Lab’s director. “There are some people who are phenomenally adept at forensics, who have an intuitive sense of how to make connections through different pieces of evidence,” he says. “Morgan has those skills…But what I very much appreciate about him is his passion for human rights.”

A Cypherpunk In The Newsroom

First Look and Marquis-Boire aren’t saying much about exactly what he’ll do at the closely-watched new media startup. But Marquis-Boire says he was convinced early in their recruitment meetings that First Look will treat security as a central tenet. (More about First Look’s plans in the video below.) The job also presents a challenge worthy of leaving his high profile position at Google: Protecting the communications between non-technical reporters and their highly-sensitive sources in a post-WikiLeaks and -Snowden era where they’re both increasingly targeted by spooks.

Marquis-Boire hints that he’s already researching security vulnerabilities that affect journalists, and working with several companies to release security fixes to their services in the next couple of months. Brian Sweeney, First Look’s head of technology operations, says Marquis-Boire’s work likely will extend into research designed to protect reporters beyond the company’s firewall. “The idea that all digital citizens, including and especially journalists, have access to data privacy is something that we strongly believe in,” says Sweeney.

Marquis-Boire, the son of two literature professors at the University of Auckland, got started with security experimentation as a teenager in the New Zealand hacker scene under the handle “headhntr.” After starting college at Auckland, he and a group of friends wrote an article for the university magazine about breaking into the school’s website to take over the server that ran it. On another occasion he was called into a local telecom’s office and “given a stern talking to about using their services as a test lab.”

But from the beginning, his interest in hacking was also political: In the late 1990s the kiwi teenager discovered the Cypherpunks Mailing List, a group of cryptographers and radical libertarians bent on foiling government surveillance and empowering individuals with privacy tools. The group eventually would foster projects like the anonymous remailers that relay emails to obscure their senders’ identities, the anonymity software Tor, WikiLeaks, and countless other privacy and encryption projects. “People realized that to actually have free speech, we have to be sure we won’t be monitored or persecuted,” says Marquis-Boire. “The intertwined nature of privacy and free expression was at the core of the cypherpunk movement.”

Marquis-Boire and friends soon hosted what he says was the first anonymous remailer server in New Zealand out of a “dingy warehouse apartment with far too many blinking lights and whirring things.” Eventually, he ran five Tor relays, the nodes in the Tor network that bounce users’ traffic to obscure their location.

But Marquis-Boire’s first real job in security, penetration-testing banks, power plants, and other clients for a New Zealand auditing firm, was unsatisfying. “I spent a bit of time musing about how much it costs to hire security consultants to do something like a black box [penetration test] of your whole enterprise,” he says. “I wanted to give my skills to the people who really needed them.”

“He Has Quite a Hacker Mind”

In 2008, Google hired Marquis-Boire in its Zurich, Switzerland office. He was assigned to cybersecurity incident response at the company not long before the biggest known security crisis in its history: the so-called Aurora hacking operation, in which Chinese hackers breached Google’s network for months and stole information that included source code from its servers. Marquis-Boire became an early member of the core team of network defenders assigned to battle the state-sponsored spies trying to eavesdrop on Google’s users. “He has quite a hacker mind,” says Heather Adkins, Google’s manager of information security, “Of everyone I’ve ever hired at Google, I’d put him in the top one percent of technical capability.”

When the Arab Spring began a year later, human rights activists like those at Citizen Lab who had seen Marquis-Boire’s presentations on state-sponsored hacking began seeking his help analyzing attacks on vulnerable groups across the Middle East. As revolutions and political unrest blossomed from Tunisia to Egypt to Libya to Syria, his detective work became nearly a full-time job. “There have been a lot of books not read and canceled vacations,” he says.

In the meantime, Google’s Adkins adds, Marquis-Boire frequently uncovered weaknesses in the company’s defenses for users—and he’s been just as focused on locking out the NSA as China’s People’s Liberation Army. In the wake of revelations from Snowden’s leaks that the NSA spied on unencrypted Google data moving between the company’s data centers, Marquis-Boire was one of the first at the company to push for encryption not only of the company’s internal data transfers, but also the exchange of emails between Gmail and other providers. That pressure led Google earlier this month to start publicly naming which email services do and don’t allow for that encryption in a bid to pressure other companies to safeguard users’ privacy.

That notion represents a shift from the cypherpunk views of Marquis-Boire’s youth. Once, cypherpunks were mainly interested in seizing privacy for themselves. Now, he says, that’s no longer enough. “When we discovered that we could create private and anonymous communications with math, that was super cool,” he says. “But then after a while I think it dawned on us as a movement that the only conversations you could have with those tools were with other cypherpunks.”

“Now it’s been thrust into our faces that the people practicing adversarial journalism and exposing human right abuses are the real-world targets of precisely the kind of thing that the cypherpunk movement was trying to protect against,” says Marquis-Boire. “It’s become apparent we need to provide privacy to those who need it, not just to ourselves.”

1Correction 7/8/2014 12:27pm: An earlier version of the story misstated Glenn Greenwald’s and Laura Poitras’s role at First Look as founders.